SSL Client Certificate

Question

Using SmartFTP client.

Authentication with client certificate fails. The tls.log gave the following:

Sep 01 15:28:39 mod_tls/2.0.6[3996]: error: unable to verify certificate at depth: 0
Sep 01 15:28:39 mod_tls/2.0.6[3996]: error: cert subject: DC = com, DC = wrcnet, CN = Users, CN = wrcgator, emailAddress = wrcgator@msn.com
Sep 01 15:28:39 mod_tls/2.0.6[3996]: error: cert issuer: DC = com, DC = wrcnet, CN = NEPTUNE
Sep 01 15:28:39 mod_tls/2.0.6[3996]: unable to get local issuer certificate
Sep 01 15:28:39 mod_tls/2.0.6[3996]: unable to accept TLS connection: error:00000001:lib(0):func(0):reason(1)
Sep 01 15:28:39 mod_tls/2.0.6[3996]: TLS/TLS-C negotiation failed on control channe

Q1. The CA certificate path is in the local machine store
Q2. What clients have been tested that support both server and client certificates?

Answer 1

Sorry, I did not complete Q1

Q1: The CA certificate path is in the local machine store. How do you properly configure the server so that it can find the local issuer certificate?

Answer 2

With a bit of playing around i found that the default.conf file does not appear to actually configure the certificate and key file pointers. If you create your own server key, server cert and ca cert files you must use the same name as the files that are installed by default ;)

Now moving on to getting it to work behind a NAT based firewall - or linksys router with NAT enabled... any pointers would be appreciated.

Answer 3

Hi,

Glad you got it working. Obviously documentation is not a strong point of these beta versions of edtFTPD. For the record, all you need to do is to append the client certificate (in base-64, X.509 format) to the edtFTPD\etc\ca-root.crt file.

RE NAT: Some NATs handle FTP by spying on the commands being sent on the FTP command channel, and actually changing the IP addresses as they pass through. This doesn't work with SSL/TLS because the commands are encrypted and the NAT is not able to intercept them.

One of our edtFTPj/SSL clients is communicating across a network with NATs at both ends. He's solved the problem by using PASV connections and restricting the port-range on the server to just a single port. The NAT is set up to direct traffic on this port through to the server.

You should be able to configure edtFTPD's PASV port-range by placing the following between the CUSTOMSETTINGS tags in the edtFTPD\etc\default.conf file:

PassivePorts n n

where n is the port you want to communicate on.

Hope that helps,
- Hans (EDT Support)

Answer 4

I tried your suggestion without success. An odd thing occured. At the end of the default.conf file I found the following:

...
</Anonymous>
# CUSTOMSETTINGS BEGIN
# CUSTOMSETTINGS END

and added the setting you suggested with the edtFTPD server stopped and the manager open.

...
</Anonymous>
# CUSTOMSETTINGS BEGIN
PassivePorts 3000 4000
# CUSTOMSETTINGS END

I saved default.conf and opened it again to ensure the file was saved with the new settings. I started the server, tried to connect but ports above 4000 were being used. I edited the default.conf to find that the setting reverted back to:

...
</Anonymous>
# CUSTOMSETTINGS BEGIN
# CUSTOMSETTINGS END

?? puzzled.

Answer 5

<snip>...the setting reverted back to:

...
</Anonymous>
# CUSTOMSETTINGS BEGIN
# CUSTOMSETTINGS END

?? puzzled.

Sorry I forgot to tell you that edtFTPD Manager must not be open while you're editing the file. It keeps an internal representation of the file and will clobber your changes when you start the server. You're not the first person to be confused by this behaviour, so we'll probably have to change this in the next version, which is due out soon.

- Hans (EDT Support)